Self-Signed Certificate and Outlook VSTO Add-in Silent Installation

As in my CRM 4.0 design and deployment project we are reaching the end part of testing deployment phase. the Outlook Add-in I made using VSTO 3.0 with ClickOnce deployment will finally need to be deployed to client side and it's the time I am facing those digital signing stuffs as well as client machine silent installation without user interference. I'll just leave a summary here of steps to achieve this for later reference.

Major Steps:

1. Using a existing digital signing Certificate or creating a self-signed Certificate.

2. Signing the VSTO ClickOnce manifests with the Certificate.

3. Deploy / Import the Certificate to the client PCs.

4. Using command prompt to install VSTO package silently.

Details as follows:

1. Using a existing digital signing Certificate or creating a self-signed Certificate.

if you are obtaining certificates from existing CA, you may need to obtain the private/public key pairs in order to build the .pfx keypair file.

I am going to use the self-signed certificate to deploy the solution in testing phase. so I'll go the following steps.

I am referencing this post for most instructions: How to create your own code signing certificate and sign an ActiveX component in Windows. will dub a short instructions here for later reference.

a. Get OpenSSL.

b. Create Root CA Certificate.

        openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

c. Create Intermediate Server Certificate and signing with Root CA Certificate.

        openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

d. Create .pfx key pair for VSTO ClickOnce manifests AuthentiCode signing.

        openssl pkcs12 -export -out exported.pfx -inkey server.key -in server.crt

e. Just in case, create the .snk public key file for later use.

        sn.exe -p exported.pfx exported.snk

f. You'll now have the following certificate files:

        ca.key: Root CA private key file .
ca.crt:
Root CA public key file .
server.key:
Server Certificate private key file .
server.csr:
Server Certificate public key file .
server.crt:
Server Certificate public key file signed with Root CA key files .
exported.pfx:
the Serve Certificate key pair file for code signing in Visual Studio 2008.
        exported.snk: optional public key .snk file containing server certificate for later use .

g. All you need to later steps are:

        ca.crt: Root CA public key file .
server.crt:
Server Certificate public key file signed with Root CA key files .
exported.pfx:
the Serve Certificate key pair file for code signing in Visual Studio 2008.

2. Signing the VSTO ClickOnce manifests with the Certificate.

using the exported.pfx file to setup VSTO ClickOnce Manifests signing. you can also signing the assembly with this keypair to create Strong Named assembly but it's not necessary to make the silent install work.

3. Deploy / Import the Certificate to the client PCs.

Import those Certificates to every client PC either manually by:

a. Import ca.crt to client PC's Certificate Store, inside "Trusted Root Certificate Authorities".
b. Import server.crt to client PC's Certificate Store, inside "Intermediate Certification Authorities".
c. Import server.crt to client PC's Certificate Store, inside "Trusted Publishers".

or you may also using AD to deploy the Root CA to client PCs. refering to this TechNet article for steps.

4. Install VSTO 3.0 pre-requisites before installing VSTO package.

by referencing this thread of posts, in order to install the VSTO package silently, instead of using the Visual Studio published setup.exe file, need to use the VSTOInstaller.exe with /Silent switch. and by using VSTOInstaller.exe, it won't check the pre-requisites thus needs to install those first to every client PC.

a. .NET Framework 3.5 SP1

https://www.microsoft.com/downloads/details.aspx?familyid=ab99342f-5d1a-413d-8319-81da479ab0d7&displaylang=en

b. VSTO version 3.0 (x86)

https://www.microsoft.com/downloads/details.aspx?FamilyID=54eb3a5a-0e52-40f9-a2d1-eecd7a092dcb&displaylang=en

c. Office PIA 2007 package

when Visual Studio 2008 published office add-in package, there will be Office 2007 PIA installer at publish\Office2007PIARedist\o2007pia.msi for installation and deployment. locate the installer and install it.

4. Using command prompt to install VSTO package silently.

open a command prompt manually or using other auto-deployment ways with the following command to install the VSTO package, sliently without user interference:

c:\> "%commonprogramfiles%\microsoft shared\VSTO\9.0\VSTOInstaller.exe" /I "https://published.server/outlookaddin/OutlookAddin.vsto"/S

the command will return immediately thus you won't know if the installation is succeeded or not. by checking the "Add/Remove Programs" in Control Panel you can see if your VSTO Add-in was installed or not. if it was not installed, remove the /S silent switch and run the VSTOInstaller again to see what's wrong. if there is a warning dialog box appeared saying that you are going to install a component from an "unknown publisher", your client PC certificate import operations may get something wrong and you need to check or re-import them again. if everything was going well you should only run this command and will see the component installed via the control panel. no other user interference is needed.

5. VSTO ClickOnce AutoUpdate.

after .NET Framework 3.5 SP1 and VSTO 3.0, now the ClickOnce application have the ability to auto-update itself if new version is published to the server. thus for the first-time install, it's possible to use AD logon script to check and install the VSTO package silently and for later updates, just refresh the server-side file to the latest version and next time when end-user opens Outlook (or other office applications), it will check the latest version from server and install itself if necessary.

FYI.

Technorati Tags: microsoft,offce,vsto,programming,codesign,code-signing,certificate,CA,openssl,x.509,authenticode